✨ Limit max_response_size
#444
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
_Please note:_ this only limits the size per response. It does _not_ limit how many unhandled responses may be stored on the responses hash.
Though it would be useful to also have limits based on response type and what commands are currently running, that's out of scope for now. _Please note:_ this only limits the size per response. It does _not_ limit how many unhandled responses may be stored on the responses hash.
nevans
force-pushed
the
limit-response-size
branch
from
14c2532 to
b6bdee2
Compare
This was referenced Apr 21, 2025
This was referenced May 5, 2025
headius
added a commit
to headius/jruby
that referenced
this pull request
May 5, 2025
Security fixes were in 0.5.7 See https://github.com/ruby/net-imap/releases/tag/v0.5.7 * ruby/net-imap#419 * ruby/net-imap#444 The security advisory is at GHSA-j3g3-5qv5-52mj Release 0.5.8 includes additional improvements and fixes. See https://github.com/ruby/net-imap/releases/tag/v0.5.8
headius
added a commit
to headius/jruby
that referenced
this pull request
May 5, 2025
Security fixes were in 0.5.7 See https://github.com/ruby/net-imap/releases/tag/v0.5.7 * ruby/net-imap#419 * ruby/net-imap#444 The security advisory is at GHSA-j3g3-5qv5-52mj Release 0.5.8 includes additional improvements and fixes. See https://github.com/ruby/net-imap/releases/tag/v0.5.8
This was referenced Sep 25, 2025
This was referenced Oct 5, 2025
This was referenced Oct 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add
Net::IMAP::Config#max_response_size, with a very high default value of 512MiB. Use#max_response_sizeto impose a limit on incoming server responses as they are being read. This is especially important for untrusted servers.Socket reads are limited to the maximum remaining bytes for the current response:
max_response_sizeminus the bytes that have already been read. When the limit is reached, or reading aliteralwould go over the limit,ResponseTooLargeErroris raised and the connection is closed.Though it would be useful to also have limits based on response type and what commands are currently running, that's out of scope for now.
Please note: this only limits the size per response. It does not limit how many unhandled responses may be stored on the responses hash.